table of contents
YAKEYROLLD-CONF(5) | YADIFA | YAKEYROLLD-CONF(5) |
NAME¶
yakeyrolld.conf - configuration file for yakeyrolld(8).
SYNOPSIS¶
${SYSCONFDIR}/yadifa/yakeyrolld.conf
DESCRIPTION¶
The configuration of yakeyrolld is consistent in a text file that can optionally include others. The general structure is a a sequence of containers: a sequence of lines of text starting with a <container-name> and ending with a </container-name>. Each line between these delimitters is in the form: variable-name value. The format of the value is determined by the type of the variable.
There are 7 types:
- FQDN
-
A fully-qualified domain name text string. e.g.: www.eurid.eu. - GID
-
Group ID. (Can be a number or a name) - HOST(S)
-
A (list of) host(s). A host is defined by an IP (v4 or v6) and can be followed by the word `port' and a port number. Elements of the list are separated by a `,' or a `;'. - INTEGER / INT
-
A base-ten integer. - PATH / FILE
-
A file or directory path. i.e.: "/var/plans". - STRING / STR
-
A text string. Double quotes can be used but are not mandatory. Without quotes the string will be taken from the first non-blank character to the last non-blank character. - UID
-
User ID. (Can be a number or a name)
STANDARD SECTIONS¶
There are 9 sections:
- <yakeyrolld>
-
General container, contains all the configuration parameters needed to start up yakeyrolld.
- domain FQDN
-
default: .Names one domain to manage, can be used up to 200 times. In yadifad.conf, each of these domains must have rrsig-nsupdate-allowed enabled in their respective <zone> section.
- log-path PATH
-
default: ${localstatedir}/log/yakeyrolldThe directory that will contain the log files.
- keys-path PATH
-
default: ${localstatedir}/zones/keysThe directory the name server uses to read zone key file.
- plan-path PATH
-
default: ${localstatedir}/plansThe directory of the step files.
- pid-path PATH
-
default: ${localstatedir}/runThe directory of the pid file.
- pid-file STRING
-
default: yakeyrolld.pidThe name of the pid file.
- generate-from STRING
-
default: "now"For plan generation, when to start the plan, can be overridden by the command line.
- generate-until STRING
-
default: "+1y"For plan generation, when to stop the plan, can be overridden by the command line.
- server HOST
-
default: 127.0.0.1The address of the name server for queries and dynamic updates.
- timeout INT
-
default: 3The number of seconds spent trying to communicate with the primary until it's considered a time-out.
- ttl INT
-
default: 600The default ttl value to use when generating records.
- update-apply-verify-retries INT
-
default: 60If an update isn't checked successfully, retries that many times.
- update-apply-verify-retries-delay INT
-
default: 1Waits that many seconds between two update apply tries.
- match-verify-retries INT
-
default: 60If a match test fails, retries that many times.
- match-verify-retries-delay INT
-
default: 1Waits that many seconds between two match test tries.
- policy STRING
-
default: undefinedThe name of the policy to use when generating the plan.
- uid UID
-
default: 0The uid to swich to. This should match the name server's.
- gid GID
-
default: 0The gid to swich to. This should match the name server's.
- <dnssec-policy>
-
Description of dnssec policies.
- id STR
-
default: -id of the dnssec-policy section.
- description STR
-
default: -Description for the dnssec-policy section.
- key-suite STR
-
default: -id of the key-suite to be used.
- <key-suite>
-
Description of the key-suites needed if 'dnssec policies' are used.
- id STR
-
default: -id of the key-suite section.
- key-template STR
-
default: -id of the key-template to be used.
- key-roll STR
-
default: -id of the key-roll to be used.
- <key>
-
TSIG keys
- algorithm ENUM
-
default: -Mandatory. Sets the algorithm of the key.
Supported values are:
(the algorithm names are case insensitive)}
- name FQDN
-
default: -Mandatory. Sets the name of the key.
- secret TEXT
-
default: -Mandatory. Sets the value of the key. BASE64 encoded.
- <key-roll>
-
Description of the key-rolls needed if 'dnssec policies' are used.
- id STR
-
default: -id of the key-roll section.
- generate STR
-
default: -Time when the key must be generated.
- publish STR
-
default: -Time when the key must be published in the zone.
- activate STR
-
default: -Time when the key will be used for signing the zone or apex of the zone.
- inactive STR
-
default: -Time when the key will not be used anymore for signing.
- delete STR
-
default: -Time when the key will be removed out of the zone.
- <key-template>
-
Description of the key-templates needed if 'dnssec policies' are used.
- id STR
-
default: -id of the key-roll section.
- generate STR
-
default: -Time when the key must be generated.
- publish STR
-
default: -Time when the key must be published in the zone.
- activate STR
-
default: -Time when the key will be used for signing the zone or apex of the zone.
- inactive STR
-
default: -Time when the key will not be used anymore for signing.
- delete STR
-
default: -Time when the key will be removed out of the zone.
- <channels>
-
Description of the logger outputs.
It contains a list descriptions of user-defined outputs for the logger. Depending on the kind of output, the format is different.
The "name" is arbitrary and is used for identification
in the <loggers>.
The "stream-name" defines the output type (i.e.: a file name, a
program output or syslog).
The "arguments" are specific to the output type (i.e.: unix file
access rights or syslog options and facilities).
- *
- file output stream channel-name file-name access-rights (octal).
- *
- pipe to a program channel-name "| shell command" channel-name "| path-to-program program arguments >> append-redirect"
- *
- STDOUT, STDERR output stream channel-name stdout channel-name stderr
- *
- syslog channel-name syslog syslog-facility
- <loggers>
-
Description of the logger outputs sources.
Sets the output of a pre-defined logger for yakeyrolld.
The format of the line is: logger-name output-filter
comma-separated-channel-names
Filters are:
DEBUG7, DEBUG6, DEBUG5, DEBUG4, DEBUG3,
DEBUG2, DEBUG1, DEBUG, INFO, NOTICE,
WARNING, ERR, CRIT, ALERT, EMERG
Additionally, there are:
- *
- ALL (or '*') meaning all the filters.
- *
- PROD means all but the DEBUG filters.
The defined loggers are:
System operators will mostly be interested in the info and above messages of the keyroll and dnssec loggers.
EXAMPLES¶
Examples of containers defined for a configuration file.
- *
- Main
- 1.
- Config with includes
# start yakeyrolld.conf <yakeyrolld> container include /etc/yakeyrolld/conf.d/local.conf # end yakeyrolld.conf <yakeyrolld> container
- 2.
- Main without includes
<yakeyrolld>
# Detach from the console (alias: daemonize)
daemon off
# The directory to use for the log files
log-path "/var/log/yakeyrolld"
# The directory that yadifad uses to load private keys
keys-path "/var/lib/yadifa/keys"
# The directory to use to store the plans
plan-path "/var/lib/yadifa/plans"
generate-from "now"
generate-until "+1y"
server 127.0.0.1
policy "keyroll-policy" </yakeyrolld>
- *
- Key
TSIG-key configuration
- 1.
- Admin-key key definition (the name is arbitrary)
<key>
name abroad-admin-key
algorithm hmac-md5
secret WorthlessKeyForExample== </key>
- 2.
- primary-secondary key definition
<key>
name primary-secondary
algorithm hmac-md5
secret PrimaryAndSecondaryKey== </key>
- *
- DNSSEC-Policy
DNSSEC-Policy needs some extra sections: key-suite, key-roll, key-template
- 1.
- dnssec-policy example with all the needed sections
<dnssec-policy>
id "keyroll-policy"
description "Example of ZSK and KSK"
key-suite "zsk-1024"
key-suite "ksk-2048" </dnssec-policy>
- 2.
- key-suite
<key-suite>
id "ksk-2048"
key-template "ksk-2048"
key-roll "yearly-calendar" </key-suite> <key-suite>
id "zsk-1024"
key-template "zsk-1024"
key-roll "monthly-calendar" </key-suite> - 3.
- key-roll
<key-roll>
id "yearly-calendar"
generate 11 10 * 1 mon 1 # Januay, Monday of the second week at 10:11
publish 11 10 * 1 tue * # following Tuesday at 10:11
activate 11 10 * 1 wed * # following Wednesday at 10:11
inactive 11 10 * 1 mon * # following Monday, a year after, at 10:11
remove 11 10 * 1 wed * # following Wednesday at 10:11 </key-roll> <key-roll>
id "monthly-calendar"
generate 17 10 * * mon 0 # 1st monday the month at 10:17
publish 17 10 * * tue * # following tuesday at 10:17
activate 17 10 * * wed * # following wednesday at 10:17
inactive 17 10 * * wed * # following wednesday at 10:17 (one week after the activation)
remove 17 10 * * thu * # following thursday at 10:17 </key-roll> - 4.
- key-template
<key-template>
id "ksk-2048"
ksk true
algorithm RSASHA512
size 2048 </key-template> <key-template>
id "zsk-1024"
ksk false
algorithm RSASHA512
size 1024 </key-template>
- *
- Channels
Logging output-channel configurations:
It contains a list of user-defined outputs for the logger.
The "name" is arbitrary and is used for identification
in the <loggers>.
The "stream-name" defines the output type (i.e.: a file name, a
program output or syslog).
The "arguments" are specific to the output type (i.e.: unix file
access rights or syslog options and facilities).
- 1.
- Example: logging channels definition.
<channels> # name stream-name arguments
keyroll keyroll.log 0644
dnssec dnssec.log 0644
system system.log 0644
all all.log 0644 </channels>
- *
- Loggers
Logging input configurations:
The "bundle" is the name of the section of yakeyroll
being logged, sources are : database, dnssec, queries, server, stats,
system, zone.
The "debuglevel" uses the same names as syslog.
Additionally, "*" or "all" means all the levels;
"prod" means all but the debug levels.
The "channels" are a comma-separated list of channels.
- 1.
- Example logger configuration
<loggers> # bundle debuglevel channels
keyroll prod keyroll,all
dnssec prod dnssec,all
system prod system,all </loggers>
SEE ALSO¶
NOTES¶
Since unquoted leading whitespace is generally ignored in the yadifad.conf you can indent everything to taste.
CHANGES¶
Please check the file README from the sources.
VERSION¶
Version: 2.6.7 of 2024-07-19.
MAILING LISTS¶
There exists a mailinglist for questions relating to any program
in the yadifa package:
- *
- yadifa-users@mailinglists.yadifa.eu
for submitting questions/answers. - *
- http://www.yadifa.eu/mailing-list-users
for subscription requests.
If you would like to stay informed about new versions and official patches send a subscription request to via:
(this is a readonly list).
LICENSE AND COPYRIGHT¶
- Copyright
- (C)2011-2023, EURid
B-1831 Diegem, Belgium
info@yadifa.eu
AUTHORS¶
Gery Van Emelen
Email: Gery.VanEmelen@EURid.eu
Eric Diaz Fernandez
Email: Eric.DiazFernandez@EURid.eu
WWW: http://www.EURid.eu
2024-07-19 | YAKEYROLLD |